I work for a company in IT. This company has quite a few retail locations. This was my first job out of college, I went to school for Computer Science and got my BA, however, I never took a networking class of any sort, I was pretty much going for programming. I feel my boss has no idea what he is doing, is slow, and is putting the company at risk, what would you do?

There are only two of us in the IT department, boss and myself, and we take care of everything. When I first started, even I knew stuff was wrong. First of all, there is a server in every store which was logged in as domain admin and anyone had access to it. This server holds all customer and cc info, cc info is encrypted. Actually, every computer in all the stores had domain admin privileges and were logged in at all times. The computer that runs the cc gateway was logged in at all times with no screen lock. As well, the cc numbers go across the network unencrypted and the drop location is shared with everyone on that computer. There is no anti-virus on any computer or server. There were computers with up to 200 Windows updates needed. Firewalls are over 4 years old with no maintenance plans. There are no policies or procedures. PCI compliance is a foreign word. And let me tell you, this is just the beginning. I have fixed a few things since I have worked there, but there is tons remaining. Is this normal for a company to be this unsecure? If not, what would you do? Like I said, I went to school for programming so this is pretty new to me. But I feel we could get breached any minute, in fact, we might be breached already, who knows, things are so screwy we would never know.

As far as what to do now? Well, there are choices. You can talk to your boss, but that seems like a bad way to go. You can talk to management - are they receptive to having made a mistake? To being in a legal hotspot?

Before you do anything, make documentation but keep it to yourself. List issues and have that safe somewhere - maybe at home. Protect yourself.

In many cases, management doesn't mean to do this stuff, they just are not competent. They might be very happy, sort of, to find out that your boss has been scamming them all of this time. But they might be pretty unhappy because what you are proposing is going to cost them money. Likely they are happily paying either very little to him because he is cheap or a lot because he is a friend or family.

Consider just looking for another job. IT departments don't get fixed from the bottom up. Not endemic issues like this. This isn't a technical mistake, this is a overarching business problem. That you are in IT is only coincidental. If management is putting customer data at risk because they can't be bothered to be on top of their business... well that is hardly an IT problem at the root and making a ruckus is not likely going to end well for you.

Do you have an HR or legal team that will protect you before you talk to management?

29 Replies

This is far, far more common than you can imagine. In the SMB market you have to remember that IT managers are typically hired by people with zero technical or business training so they lack the skills to vet a technical manager and lack the business skills to realize that they need outside help to do so. So they hire someone at random and put themselves at risk without ever checking in to see if they are being competent - because how would the managers know? Not understanding the concept of risk seems to be a hallmark of small businesses and especially small business IT departments.

The last company we bought was this way. The domain admin password was 4 characters. User passwords were discover able by anyone in the company since they used personal info to create them and it was the standard way they setup there accounts.

Document, document, and document some more. Take your findings to upper management and let them know that Best Practices/Law are not being followed. Make sure to have several options on how to fix each item, along with costs and repercussions of what will happen if they are not fixed.

From the description I wouldn't doubt it if there were licensing issues on the software as well.

And going with what SAM said: not understanding is one thing, but knowing and willfully disregarding is a completely different ball game.

As far as what to do now? Well, there are choices. You can talk to your boss, but that seems like a bad way to go. You can talk to management - are they receptive to having made a mistake? To being in a legal hotspot?

Before you do anything, make documentation but keep it to yourself. List issues and have that safe somewhere - maybe at home. Protect yourself.

In many cases, management doesn't mean to do this stuff, they just are not competent. They might be very happy, sort of, to find out that your boss has been scamming them all of this time. But they might be pretty unhappy because what you are proposing is going to cost them money. Likely they are happily paying either very little to him because he is cheap or a lot because he is a friend or family.

Consider just looking for another job. IT departments don't get fixed from the bottom up. Not endemic issues like this. This isn't a technical mistake, this is a overarching business problem. That you are in IT is only coincidental. If management is putting customer data at risk because they can't be bothered to be on top of their business... well that is hardly an IT problem at the root and making a ruckus is not likely going to end well for you.

Do you have an HR or legal team that will protect you before you talk to management?

I suggest not speaking poorly about your boss. Your boss is probably working the best they can, or with the best knowledge they have. This is a great opportunity for you to grow and expand your skillset. When you see an issue, find a solution and work with your boss to implement it.

Do NOT point out all the security issues to the other staff. The last thing you want to do is have them lose respect for, or confidence in your boss, or their setup. Your boss goes...you may very well go to.

Again, find solutions and work with your boss to implement them. Don't use this as an opportunity to bad mouth your boss or the job that has been done, use this as an opportunity to increase your skills while helping secure the organization.

Jon, you gotta take things in you hand and rectify things here. We do a lot of credit card transactions and we make sure that CC info is completely safe not even accessible to employees.

First of, get a AV subscription or at least have some sort of AV like MS Security Essentials if spending is a problem.

Having domain admin rights with no AV is just invitation for virus/malware.

If you have multiple locations, why not connect the HQ with these locations over VPN so that the server at HQ is the only one that needs your attention and in this way you could setup WSUS for windows updates.

Probably you already realize that but it is essential that you make your boss understand the consequences of this security-less infrastructure.

Does he have a passion for IT and the company? If not, he may just be a jobber, and may have the mentality of, "It just has to work". He may also be a dinosaur that is outdated with current best practices and you may want to be the person to jump in. By jumping in, you may one day step on his toes, and if so, you may want to know the next exec in line to report to. By reporting to them (without pissing off your boss) with quick updates, they will hopefully see what you can do and what he cannot or wont do. That may show how beneficial you could be to the company.

Either way, I would keep a running log with everything that you find that should be addressed. This will help you manage upcoming tasks efficiently. Also, when review time comes around, it may serve another purpose :)

Once that list is compiled, i would schedule some face time with your boss to discuss the issues. You may want to discuss the issues, with possible resolutions, and the need for the issues. I would also discuss the negative impacts that could occur if the issues remain unaddressed.

Remember, most IT people (especially bosses), like to think they know everything (or do not like to admit when they don't). So don't swing at his ego when addressing these issues, use some tact in the conversation.

Thanks for all the reply's. Someone mentioned looking for a different job. I have been looking for a different job and have a few upcoming interviews. I know I am not the solution to the problem, I have very little experience with networking and all that stuff, I am a programmer and took this job out off college for experience and thought maybe I would like doing networking stuff. We do well over one million cc transactions a year which puts us in a higher tier for PCI compliance. I will indeed keep documentation. I almost feel if something happens I will partly be responsible. Maybe I should talk with HR manager so it is documented that I have concerns. Thanks again for all the reply's and suggestions.

I would ask if your company has looked into any PCI compliance training. This way, if they do and most businesses dealing with payment cards do want this distinction, it will force your manager to adjust the infrastructure.

In his defense, I was a Director of IT for a company a couple of years back and trying to do things the right way was like pulling teeth. The company I had worked for had a CFO who hired inexperienced contractors who f**ked stuff up all the time. When I was hired, I would bring these issues to his attention which resulted in an argument 90% of the time. Eventually I had enough and figured my reputation was not worth the job.

I would report this to a higher management in a way that would not anger/harm your boss, but allow you to spruce the place up. In reporting these things not only are you showing concern/ responsibility in your job but you are also showing the person employing you that you are serious about your job.

As far as the anti-virus goes: If money is an issue then go with a free anti virus like mentioned above (Microsoft Security Essentials), if that is not an issue I would suggest Avast!. Avast has always done a great job with their products.

As far as the other problems:

I would suggest just having your server at the central location (where you work) and using a VPN. Make each employee an individual user account, and only use the domain admin when needed.

I am also in a similar situation as far as being one of two IT people in a business and of course me being the new employee. If I had these problems this is exactly what I would do. Everything could go to crap, quick as long as things at your business stay the way that they are.

I know how you feel. The credit union I work for, first job out of college as well, is identical to your situation. My boss has no experience in the networking area and its said that I know as much, if not more, than he does and he's been doing this 20+ years. As SAM said, definitely make notes of everything you find that is wrong and keep it to yourself. That's what I've done here and tried to correct somethings as time has gone on.

This can be an excellent opportunity but at the same time a frustrating one to. Give it a while and see if things improve. I know I've been here almost a year and a half and I've been able to turn some things around but I still have those frustrating times when I'm trying to explain things. If you still don't like the situation after a period of time, then you may want to start looking for something another position because, like any other job, if your not happy then if you not enjoy the challenges/accomplishments that come with being in IT. I'm in the process of looking now.

I've been put in a situation/position that is the go to person. If I don't know the answers, I'm supposed to learn what the answer(s) are and then turn around and teach my boss. Most of the time when you walk into something like this the manager has little experience running a network environment (i.e. comes from a different area of IT), in my case my boss is an ex-programmer, no offense to any programmers, but has no clue on what it takes to setup servers, networks, etc. Everything that has been done here has been third partied.

Going into my first real (i.e. hired on full time, salary, benefits, etc.) IT job after college, it was obvious that there was a significant lack of knowledgeable oversight in the department. I, like you, was hired as the tech to work under the IT Administrator. One month after working there, I was approached by his boss that said learn everything you can from him this month because he is being let go and I was to take his place. If higher management is paying attention, they will notice the improvements and changes that you implement in a very short amount of time.

You have some MAJOR issues if you have all users CC information stored locally. If you are going to do so, you NEED to be PCI compliant and just from your paragraph above you are not compliant at all.

1. Make a point to tell management/CEO that this is a HUGE issue.

2. Read up on PCI Compliance and why it's important. Failing to be compliant can lead to major fines in the MILLIONS from the credit card companies.

3. Put everything in writting and have your supervisior/manager/boss/management sign off on it.

4. Hire an outside consultant and get PCI Compliant. I can't stress enough how much you are putting your company at risk have credit card information floating around out there. It sounds like a Hackers Heaven.

This is far, far more common than you can imagine. In the SMB market you have to remember that IT managers are typically hired by people with zero technical or business training so they lack the skills to vet a technical manager and lack the business skills to realize that they need outside help to do so. So they hire someone at random and put themselves at risk without ever checking in to see if they are being competent - because how would the managers know? Not understanding the concept of risk seems to be a hallmark of small businesses and especially small business IT departments.

This is very very common in SMB like SAM said. That is what i have worked in all my life and i have seen good and bad and ugly. It really depends on the knoledge of the higher ups and wether they are willing to listen to you and your changes. The biggest part i would say is to do what you can now, and do it right. Research, research, research! Theres so much out there that can be solved with free applications or just a bit of research into how.

Document your issues, come up with ideas on how to correct issues (the more the better), present your findings, and then take it from there. If they decide not to allow you to dedicate time to these issues, or don't want to do anything about them, then yes it's time to just move on.

Joe85: I don't see it changing any time soon, but by not being a part of the problem you are part of the solution. As thoose who grew up with computers move into and take over the work force, i think we will see these issues become less and less.

Thanks for all the reply's. Someone mentioned looking for a different job. I have been looking for a different job and have a few upcoming interviews. I know I am not the solution to the problem, I have very little experience with networking and all that stuff, I am a programmer and took this job out off college for experience and thought maybe I would like doing networking stuff. We do well over one million cc transactions a year which puts us in a higher tier for PCI compliance. I will indeed keep documentation. I almost feel if something happens I will partly be responsible. Maybe I should talk with HR manager so it is documented that I have concerns. Thanks again for all the reply's and suggestions.

Yes, if you have an HR manager and fear that the company might be doing something illegal or unethical, that is the place to go first.

As far as the anti-virus goes: If money is an issue then go with a free anti virus like mentioned above (Microsoft Security Essentials), if that is not an issue I would suggest Avast!. Avast has always done a great job with their products.

I'm assuming that they are larger than 10 workstations. That's the licensing size limit for MSSE. Comodo is the only free option of which I am aware for an organization of any size and the cost of managing it would be likely higher than the cost of purchasing something good - which is where AV companies make their money.

Managers & CEOs not knowing tech is extremely common, and that will not change, so don't waste time trying to get them to become tech savvy. They want to hear solutions to problems, with various options, and which option you suggest. Feel free to brag on yourself by documenting what you have done & have found. You don't need to point blame, just point what is the problem and what you will do to solve it.

This is a double edge sword. You can look at it in two ways. First the positive. You have a tremendous opportunity to learn a great deal about all aspects of network systems, security, PCI Compliance and much more. However this comes at a great cost frustration and long days(if you even get to that point). You first have to be able to get your boss's buy in on getting all the things corrected. This I can tell won't be an easy task (I'm going through a bit of this myself). Maybe suggest you guys bring in a consultant. It sounds like you may need to start with a network assessment to get an idea of priorities that need to be addressed first.

The other option is quit and put down in writing your concerns and the reasons for leaving. There is nothing worse than walking away from a job knowing that nothing will ever change. If you at least tell someone, you can say you tried.

Overall this is a tough spot you're in. Either way I think you need to make someone aware of the problems you find.

I have been in the exact same boat, freakishly so infact. I came from a programming background and noticed all of the issues you describe and them some.

The first thing to do is to speak to your boss, its just the right thing to do. Voice your concerns. If you get poor answers such as, its fine and has worked that way for years etc, then you may need to take it further.

Document it all and report it to his boss and point out that you tried to sort it with him first. This way your preety covered in the event it all hits the fan.

If nothing gets done about it then there are 2 scenarios.

You can either run yourself ragged fixing problems that were there before your time and that no one else will, for little to no thanks.

Or you sit back and do what they ask of you until it all goes kaboom. This will probably end up with you having to fix everything anyway but at least this way you get to say I told you so, and will more likely get credit, as well as your boss having to hold his hand up.